OIDC & OAuth 2.0 Flows

OAuth 2.0 is the industry-standard protocol for authorization. It allows an app to securely gain limited access to protected resources of another app or website, often on behalf of an end-user. OpenID Connect (OIDC) is an authentication protocol built on top of OAuth's authorization mechanism. In addition to granting access requests, it allows apps to verify the user's identity and obtain basic user profile information.

The following flows are supported:

• Authorization Code : Used by a web or mobile/native app to authenticate users, such as for login to a retail website or banking app. An authorization code is exchanged for ID and access tokens via the client backend.
• Client Credentials : Used by an application to obtain client access tokens as needed to authorize Mosaic APIs
• Resource Owner Password Credentials : Used to obtain a user access token using password credentials, without any user interaction. Should only be used by highly trusted apps, in cases where other flows aren't viable. See API
• Client-Initiated Backchannel Authentication (CIBA) : Allows the client to initiate an authentication process on behalf of the user from a device the user can't access directly (such as the computer of a call center agent or of the bank teller), where the user authenticates using a separate device (such as their smartphone). See guide
• Device Authorization Flow : Used to authenticate users that want to access an app from an input-limited device or one without a browser (such as smart TVs and watches, game consoles, kiosks, etc.). See guide
• RP-Initiated Logout : Used to log out end-users from their authentication sessions